We are sending logs received by our heavy forwarder to a 3rd-party syslog server. We thought we had it configured so that only WinEventLogs are being forwarded to the 3rd party, but it turns out they're getting everything (sourcetypes they don't need, etc). What is the best way to filter out all of these other events? Either from the universal forwarders to the HF, or from the HF to the 3rd party.
For background, here's our basic setup. I'll post our config further down.
UFs -> Heavy Forwarder -> 3rd party syslog-ng server
The UFs themselves have two tcpouts: one to our indexers, and the other is the heavy forwarder. They are otherwise identical.
The heavy forwarder has a props, transforms, and output that is supposed to only route WinEventLog:* to the syslog destination. It has a separate outputs.conf that tells it to turn off local indexing and disable the forwarderindex.filter (maybe this it the problem; not sure). We don't seem to have anything specifically telling the HF not to send anything except for WinEventLogs to the syslog destination; not sure how to implement that, if it's needed.
[One side note, we eventually need to send dhcp logs to the 3rd-party. Right now, they're getting there, but the "source" is actually showing as the heavy forwarder. They're configured on the UFs to go to a different index from the Windows event logs, but I would need to stop the inserting of the heavy forwarder as the source, and allow for that index to be sent from the HF to the 3rd party. I might save this all for a different discussion post, but just throwing it out there.]